{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "4074bec6-15e2-4a0f-b177-d1c8b58e2794",
   "metadata": {},
   "source": [
    "# LocalOsquery Data Provider"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "94d3bef5-29f1-4073-944a-17f8c398d185",
   "metadata": {},
   "source": [
    "https://msticpy.readthedocs.io/en/v1.1.0/data_acquisition/DataProviders.html#using-local-data-the-localdata-provider"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "27b49194-ad13-44f1-87b2-950b9a79b25e",
   "metadata": {},
   "source": [
    "## Imports"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "id": "8fd33393-740d-403a-98a1-419c8bbb6b9f",
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "\n",
       "This product includes GeoLite2 data created by MaxMind, available from\n",
       "<a href=\"https://www.maxmind.com\">https://www.maxmind.com</a>.\n"
      ],
      "text/plain": [
       "<IPython.core.display.HTML object>"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Imports Complete\n"
     ]
    }
   ],
   "source": [
    "#Check we are running Python 3.6\n",
    "import sys\n",
    "MIN_REQ_PYTHON = (3,6)\n",
    "if sys.version_info < MIN_REQ_PYTHON:\n",
    "    print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')\n",
    "    print('or later is selected as the active kernel.')\n",
    "    sys.exit(\"Python %s.%s or later is required.\\n\" % MIN_REQ_PYTHON)\n",
    "\n",
    "#imports\n",
    "import json\n",
    "import yaml\n",
    "import msticpy.nbtools as nbtools\n",
    "\n",
    "#data library imports\n",
    "from msticpy.data.data_providers import QueryProvider\n",
    "import msticpy.nbtools as mas\n",
    "\n",
    "print('Imports Complete')"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "4e217fc3-1c95-471e-81c9-f9a1e76563e6",
   "metadata": {},
   "source": [
    "## Variables"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "id": "f535e335-0732-4053-bdfe-1155c7a4a983",
   "metadata": {},
   "outputs": [],
   "source": [
    "# directory with osqueryd.results.log or other *.log files\n",
    "# Tested with single file (osqueryd.results.log) and double (osqueryd.results.log + osqueryd.snapshots.log)\n",
    "datadir = \"/path/to/var/log/osquery\"\n",
    "# directory with queries yaml file\n",
    "query_path = \"/path/to\""
   ]
  },
  {
   "cell_type": "markdown",
   "id": "cffc9da9-c97e-47b7-975a-5c64cd880169",
   "metadata": {},
   "source": [
    "## Load Data"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "id": "ad5cf782-2125-4b6b-be20-5425abe891a1",
   "metadata": {},
   "outputs": [],
   "source": [
    "# Specify path to look for data files\n",
    "data_path = datadir\n",
    "qry_prov = QueryProvider(\"LocalOsquery\",\n",
    "                         data_paths=[data_path],\n",
    "                         query_paths=[query_path]\n",
    "                        )"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "id": "22d00318-7269-401b-88d3-078d3fa47e17",
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "{'pack_osquery-custom-pack2_processes': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_euid': 'object', 'columns_name': 'object', 'columns_parent': 'object', 'columns_path': 'object', 'columns_pcmdline': 'object', 'columns_pid': 'object', 'columns_uid': 'object', 'columns_username': 'object'}, 'pack_osquery-custom-pack2_process_binding_to_ports': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_pid': 'object', 'columns_port': 'object', 'columns_protocol': 'object'}, 'pack_osquery-monitoring_osquery_info': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_build_distro': 'object', 'columns_build_platform': 'object', 'columns_config_hash': 'object', 'columns_config_valid': 'object', 'columns_counter': 'object', 'columns_extensions': 'object', 'columns_instance_id': 'object', 'columns_platform_mask': 'object', 'columns_resident_size': 'object', 'columns_start_time': 'object', 'columns_system_time': 'object', 'columns_user_time': 'object', 'columns_uuid': 'object', 'columns_version': 'object', 'columns_watcher': 'object'}, 'pack_osquery-custom-pack2_outbound_connections': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_name': 'object', 'columns_path': 'object', 'columns_pcmdline': 'object', 'columns_pid': 'object', 'columns_username': 'object', 'columns_local_port': 'object', 'columns_md5': 'object', 'columns_remote_address': 'object', 'columns_remote_port': 'object'}, 'pack_incident-response_mounts': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_blocks': 'object', 'columns_blocks_available': 'object', 'columns_blocks_free': 'object', 'columns_blocks_size': 'object', 'columns_device': 'object', 'columns_device_alias': 'object', 'columns_flags': 'object', 'columns_inodes': 'object', 'columns_inodes_free': 'object', 'columns_type': 'object'}, 'pack_osquery-custom-pack2_process_env': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_pid': 'object', 'columns_key': 'object', 'columns_value': 'object'}, 'pack_incident-response_listening_ports': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object', 'columns_port': 'object', 'columns_protocol': 'object', 'columns_address': 'object', 'columns_family': 'object', 'columns_fd': 'object', 'columns_net_namespace': 'object', 'columns_socket': 'object'}, 'pack_osquery-monitoring_schedule': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_average_memory': 'object', 'columns_avg_system_time': 'object', 'columns_avg_user_time': 'object', 'columns_denylisted': 'object', 'columns_executions': 'object', 'columns_interval': 'object', 'columns_last_executed': 'object', 'columns_output_size': 'object', 'columns_wall_time': 'object'}, 'pack_incident-response_process_env': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_key': 'object', 'columns_value': 'object'}, 'fim': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_username': 'object', 'columns_md5': 'object', 'columns_action': 'object', 'columns_atime': 'datetime64[ns]', 'columns_category': 'object', 'columns_ctime': 'datetime64[ns]', 'columns_mode': 'object', 'columns_mtime': 'datetime64[ns]', 'columns_sha256': 'object', 'columns_size': 'object', 'columns_target_path': 'object', 'columns_time': 'datetime64[ns]'}, 'pack_incident-response_open_files': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object'}, 'pack_incident-response_last': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_pid': 'object', 'columns_username': 'object', 'columns_type': 'object', 'columns_time': 'datetime64[ns]', 'columns_host': 'object', 'columns_tty': 'object', 'columns_type_name': 'object'}, 'pack_incident-response_logged_in_users': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_cmdline': 'object', 'columns_name': 'object', 'columns_pid': 'object', 'columns_type': 'object', 'columns_time': 'datetime64[ns]', 'columns_host': 'object', 'columns_tty': 'object', 'columns_cwd': 'object', 'columns_root': 'object', 'columns_user': 'object'}, 'pack_osquery-custom-pack2_known_hosts': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_key': 'object', 'columns_key_file': 'object'}, 'pack_incident-response_process_memory': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_path': 'object', 'columns_pid': 'object', 'columns_device': 'object', 'columns_end': 'object', 'columns_inode': 'object', 'columns_offset': 'object', 'columns_permissions': 'object', 'columns_pseudo': 'object', 'columns_start': 'object'}, 'pack_vuln-management_deb_packages': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_name': 'object', 'columns_version': 'object', 'columns_size': 'object', 'columns_admindir': 'object', 'columns_arch': 'object', 'columns_maintainer': 'object', 'columns_priority': 'object', 'columns_revision': 'object', 'columns_section': 'object', 'columns_source': 'object', 'columns_status': 'object'}, 'pack_incident-response_shell_history': {'name': 'object', 'hostIdentifier': 'object', 'calendarTime': 'object', 'unixTime': 'datetime64[ns]', 'epoch': 'int64', 'counter': 'int64', 'numerics': 'bool', 'action': 'object', 'decorations_host_uuid': 'object', 'decorations_username': 'object', 'columns_uid': 'object', 'columns_username': 'object', 'columns_uuid': 'object', 'columns_time': 'datetime64[ns]', 'columns_command': 'object', 'columns_description': 'object', 'columns_directory': 'object', 'columns_gid': 'object', 'columns_gid_signed': 'object', 'columns_history_file': 'object', 'columns_shell': 'object', 'columns_uid_signed': 'object'}}\n",
      "CPU times: user 2min 45s, sys: 602 ms, total: 2min 46s\n",
      "Wall time: 2min 49s\n"
     ]
    }
   ],
   "source": [
    "%%time\n",
    "# Show the schema of the data files read in\n",
    "# Slow for log file ~1MB\n",
    "print(qry_prov.schema)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "id": "9f8a0b5c-2c86-4c70-9a0c-bb759045f9b1",
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "{\n",
      "  \"pack_osquery-custom-pack2_processes\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_cmdline\": \"object\",\n",
      "    \"columns_euid\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_parent\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_pcmdline\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_uid\": \"object\",\n",
      "    \"columns_username\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-custom-pack2_process_binding_to_ports\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_port\": \"object\",\n",
      "    \"columns_protocol\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-monitoring_osquery_info\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_build_distro\": \"object\",\n",
      "    \"columns_build_platform\": \"object\",\n",
      "    \"columns_config_hash\": \"object\",\n",
      "    \"columns_config_valid\": \"object\",\n",
      "    \"columns_counter\": \"object\",\n",
      "    \"columns_extensions\": \"object\",\n",
      "    \"columns_instance_id\": \"object\",\n",
      "    \"columns_platform_mask\": \"object\",\n",
      "    \"columns_resident_size\": \"object\",\n",
      "    \"columns_start_time\": \"object\",\n",
      "    \"columns_system_time\": \"object\",\n",
      "    \"columns_user_time\": \"object\",\n",
      "    \"columns_uuid\": \"object\",\n",
      "    \"columns_version\": \"object\",\n",
      "    \"columns_watcher\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-custom-pack2_outbound_connections\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_cmdline\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_pcmdline\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_username\": \"object\",\n",
      "    \"columns_local_port\": \"object\",\n",
      "    \"columns_md5\": \"object\",\n",
      "    \"columns_remote_address\": \"object\",\n",
      "    \"columns_remote_port\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_mounts\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_blocks\": \"object\",\n",
      "    \"columns_blocks_available\": \"object\",\n",
      "    \"columns_blocks_free\": \"object\",\n",
      "    \"columns_blocks_size\": \"object\",\n",
      "    \"columns_device\": \"object\",\n",
      "    \"columns_device_alias\": \"object\",\n",
      "    \"columns_flags\": \"object\",\n",
      "    \"columns_inodes\": \"object\",\n",
      "    \"columns_inodes_free\": \"object\",\n",
      "    \"columns_type\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-custom-pack2_process_env\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_cmdline\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_key\": \"object\",\n",
      "    \"columns_value\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_listening_ports\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_port\": \"object\",\n",
      "    \"columns_protocol\": \"object\",\n",
      "    \"columns_address\": \"object\",\n",
      "    \"columns_family\": \"object\",\n",
      "    \"columns_fd\": \"object\",\n",
      "    \"columns_net_namespace\": \"object\",\n",
      "    \"columns_socket\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-monitoring_schedule\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_average_memory\": \"object\",\n",
      "    \"columns_avg_system_time\": \"object\",\n",
      "    \"columns_avg_user_time\": \"object\",\n",
      "    \"columns_denylisted\": \"object\",\n",
      "    \"columns_executions\": \"object\",\n",
      "    \"columns_interval\": \"object\",\n",
      "    \"columns_last_executed\": \"object\",\n",
      "    \"columns_output_size\": \"object\",\n",
      "    \"columns_wall_time\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_process_env\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_key\": \"object\",\n",
      "    \"columns_value\": \"object\"\n",
      "  },\n",
      "  \"fim\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_uid\": \"object\",\n",
      "    \"columns_username\": \"object\",\n",
      "    \"columns_md5\": \"object\",\n",
      "    \"columns_action\": \"object\",\n",
      "    \"columns_atime\": \"datetime64[ns]\",\n",
      "    \"columns_category\": \"object\",\n",
      "    \"columns_ctime\": \"datetime64[ns]\",\n",
      "    \"columns_mode\": \"object\",\n",
      "    \"columns_mtime\": \"datetime64[ns]\",\n",
      "    \"columns_sha256\": \"object\",\n",
      "    \"columns_size\": \"object\",\n",
      "    \"columns_target_path\": \"object\",\n",
      "    \"columns_time\": \"datetime64[ns]\"\n",
      "  },\n",
      "  \"pack_incident-response_open_files\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_pid\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_last\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_username\": \"object\",\n",
      "    \"columns_type\": \"object\",\n",
      "    \"columns_time\": \"datetime64[ns]\",\n",
      "    \"columns_host\": \"object\",\n",
      "    \"columns_tty\": \"object\",\n",
      "    \"columns_type_name\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_logged_in_users\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_cmdline\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_type\": \"object\",\n",
      "    \"columns_time\": \"datetime64[ns]\",\n",
      "    \"columns_host\": \"object\",\n",
      "    \"columns_tty\": \"object\",\n",
      "    \"columns_cwd\": \"object\",\n",
      "    \"columns_root\": \"object\",\n",
      "    \"columns_user\": \"object\"\n",
      "  },\n",
      "  \"pack_osquery-custom-pack2_known_hosts\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_uid\": \"object\",\n",
      "    \"columns_key\": \"object\",\n",
      "    \"columns_key_file\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_process_memory\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_path\": \"object\",\n",
      "    \"columns_pid\": \"object\",\n",
      "    \"columns_device\": \"object\",\n",
      "    \"columns_end\": \"object\",\n",
      "    \"columns_inode\": \"object\",\n",
      "    \"columns_offset\": \"object\",\n",
      "    \"columns_permissions\": \"object\",\n",
      "    \"columns_pseudo\": \"object\",\n",
      "    \"columns_start\": \"object\"\n",
      "  },\n",
      "  \"pack_vuln-management_deb_packages\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_name\": \"object\",\n",
      "    \"columns_version\": \"object\",\n",
      "    \"columns_size\": \"object\",\n",
      "    \"columns_admindir\": \"object\",\n",
      "    \"columns_arch\": \"object\",\n",
      "    \"columns_maintainer\": \"object\",\n",
      "    \"columns_priority\": \"object\",\n",
      "    \"columns_revision\": \"object\",\n",
      "    \"columns_section\": \"object\",\n",
      "    \"columns_source\": \"object\",\n",
      "    \"columns_status\": \"object\"\n",
      "  },\n",
      "  \"pack_incident-response_shell_history\": {\n",
      "    \"name\": \"object\",\n",
      "    \"hostIdentifier\": \"object\",\n",
      "    \"calendarTime\": \"object\",\n",
      "    \"unixTime\": \"datetime64[ns]\",\n",
      "    \"epoch\": \"int64\",\n",
      "    \"counter\": \"int64\",\n",
      "    \"numerics\": \"bool\",\n",
      "    \"action\": \"object\",\n",
      "    \"decorations_host_uuid\": \"object\",\n",
      "    \"decorations_username\": \"object\",\n",
      "    \"columns_uid\": \"object\",\n",
      "    \"columns_username\": \"object\",\n",
      "    \"columns_uuid\": \"object\",\n",
      "    \"columns_time\": \"datetime64[ns]\",\n",
      "    \"columns_command\": \"object\",\n",
      "    \"columns_description\": \"object\",\n",
      "    \"columns_directory\": \"object\",\n",
      "    \"columns_gid\": \"object\",\n",
      "    \"columns_gid_signed\": \"object\",\n",
      "    \"columns_history_file\": \"object\",\n",
      "    \"columns_shell\": \"object\",\n",
      "    \"columns_uid_signed\": \"object\"\n",
      "  }\n",
      "}\n"
     ]
    }
   ],
   "source": [
    "print(json.dumps(qry_prov.schema, indent=2))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "id": "9d42e2d3-1920-4f3a-882e-93521ed160c6",
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['file.deb_packages',\n",
       " 'file.fim',\n",
       " 'linux.deb_packages',\n",
       " 'linux.fim',\n",
       " 'linux.osquery_info',\n",
       " 'linux.outbound_connections',\n",
       " 'linux.process_binding_to_ports',\n",
       " 'linux.processes',\n",
       " 'linux.shell_history',\n",
       " 'network.outbound_connections',\n",
       " 'network.process_binding_to_ports',\n",
       " 'process.process_binding_to_ports',\n",
       " 'process.processes',\n",
       " 'shell.shell_history']"
      ]
     },
     "execution_count": 6,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "qry_prov.list_queries()"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "id": "9a399729-392a-4c5e-a959-ba50121403b4",
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 2min 44s, sys: 26.8 ms, total: 2min 44s\n",
      "Wall time: 2min 45s\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>name</th>\n",
       "      <th>hostIdentifier</th>\n",
       "      <th>calendarTime</th>\n",
       "      <th>unixTime</th>\n",
       "      <th>epoch</th>\n",
       "      <th>counter</th>\n",
       "      <th>numerics</th>\n",
       "      <th>action</th>\n",
       "      <th>decorations_host_uuid</th>\n",
       "      <th>decorations_username</th>\n",
       "      <th>...</th>\n",
       "      <th>columns_action</th>\n",
       "      <th>columns_atime</th>\n",
       "      <th>columns_category</th>\n",
       "      <th>columns_ctime</th>\n",
       "      <th>columns_mode</th>\n",
       "      <th>columns_mtime</th>\n",
       "      <th>columns_sha256</th>\n",
       "      <th>columns_size</th>\n",
       "      <th>columns_target_path</th>\n",
       "      <th>columns_time</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>793</th>\n",
       "      <td>fim</td>\n",
       "      <td>HOSTNAME</td>\n",
       "      <td>Fri Feb  3 11:52:32 2023 UTC</td>\n",
       "      <td>1675425152</td>\n",
       "      <td>0</td>\n",
       "      <td>8</td>\n",
       "      <td>False</td>\n",
       "      <td>added</td>\n",
       "      <td>F7E6787D-B2D8-4830-854E-33AF0A1338B8</td>\n",
       "      <td></td>\n",
       "      <td>...</td>\n",
       "      <td>DELETED</td>\n",
       "      <td>1675425150</td>\n",
       "      <td>roothome</td>\n",
       "      <td>1675425150</td>\n",
       "      <td>0600</td>\n",
       "      <td>1675425150</td>\n",
       "      <td></td>\n",
       "      <td>30306</td>\n",
       "      <td>/root/.viminfo</td>\n",
       "      <td>1675425150</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 23 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "    name hostIdentifier                  calendarTime    unixTime  epoch  \\\n",
       "793  fim       HOSTNAME  Fri Feb  3 11:52:32 2023 UTC  1675425152      0   \n",
       "\n",
       "     counter  numerics action                 decorations_host_uuid  \\\n",
       "793        8     False  added  F7E6787D-B2D8-4830-854E-33AF0A1338B8   \n",
       "\n",
       "    decorations_username  ... columns_action columns_atime columns_category  \\\n",
       "793                       ...        DELETED    1675425150         roothome   \n",
       "\n",
       "    columns_ctime columns_mode columns_mtime columns_sha256 columns_size  \\\n",
       "793    1675425150         0600    1675425150                       30306   \n",
       "\n",
       "    columns_target_path columns_time  \n",
       "793      /root/.viminfo   1675425150  \n",
       "\n",
       "[1 rows x 23 columns]"
      ]
     },
     "execution_count": 7,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "%%time\n",
    "df_fim = qry_prov.linux.fim()\n",
    "df_fim.head(1)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "id": "842678a3-b7d3-4698-94c2-62e61ef34d6b",
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 2min 46s, sys: 30.1 ms, total: 2min 46s\n",
      "Wall time: 2min 48s\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>name</th>\n",
       "      <th>hostIdentifier</th>\n",
       "      <th>calendarTime</th>\n",
       "      <th>unixTime</th>\n",
       "      <th>epoch</th>\n",
       "      <th>counter</th>\n",
       "      <th>numerics</th>\n",
       "      <th>action</th>\n",
       "      <th>decorations_host_uuid</th>\n",
       "      <th>decorations_username</th>\n",
       "      <th>columns_cmdline</th>\n",
       "      <th>columns_euid</th>\n",
       "      <th>columns_name</th>\n",
       "      <th>columns_parent</th>\n",
       "      <th>columns_path</th>\n",
       "      <th>columns_pcmdline</th>\n",
       "      <th>columns_pid</th>\n",
       "      <th>columns_uid</th>\n",
       "      <th>columns_username</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>pack_osquery-custom-pack2_processes</td>\n",
       "      <td>HOSTNAME</td>\n",
       "      <td>Fri Feb  3 06:28:25 2023 UTC</td>\n",
       "      <td>1675405705</td>\n",
       "      <td>0</td>\n",
       "      <td>876</td>\n",
       "      <td>False</td>\n",
       "      <td>removed</td>\n",
       "      <td>F7E6787D-B2D8-4830-854E-33AF0A1338B8</td>\n",
       "      <td></td>\n",
       "      <td>/bin/sh /usr/local/scripts/audispd_report.sh</td>\n",
       "      <td>102</td>\n",
       "      <td>sudo</td>\n",
       "      <td>54935</td>\n",
       "      <td></td>\n",
       "      <td>sudo -u syslog /usr/local/scripts/audispd_repo...</td>\n",
       "      <td>54940</td>\n",
       "      <td>102</td>\n",
       "      <td>syslog</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                  name hostIdentifier  \\\n",
       "0  pack_osquery-custom-pack2_processes       HOSTNAME   \n",
       "\n",
       "                   calendarTime    unixTime  epoch  counter  numerics  \\\n",
       "0  Fri Feb  3 06:28:25 2023 UTC  1675405705      0      876     False   \n",
       "\n",
       "    action                 decorations_host_uuid decorations_username  \\\n",
       "0  removed  F7E6787D-B2D8-4830-854E-33AF0A1338B8                        \n",
       "\n",
       "                                columns_cmdline columns_euid columns_name  \\\n",
       "0  /bin/sh /usr/local/scripts/audispd_report.sh          102         sudo   \n",
       "\n",
       "  columns_parent columns_path  \\\n",
       "0          54935                \n",
       "\n",
       "                                    columns_pcmdline columns_pid columns_uid  \\\n",
       "0  sudo -u syslog /usr/local/scripts/audispd_repo...       54940         102   \n",
       "\n",
       "  columns_username  \n",
       "0           syslog  "
      ]
     },
     "execution_count": 8,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "%%time\n",
    "df_process = qry_prov.linux.processes()\n",
    "df_process.head(1)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "id": "5609dda9-4072-4387-a633-a53fe515cdc8",
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "CPU times: user 2min 43s, sys: 27.6 ms, total: 2min 43s\n",
      "Wall time: 2min 46s\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>name</th>\n",
       "      <th>hostIdentifier</th>\n",
       "      <th>calendarTime</th>\n",
       "      <th>unixTime</th>\n",
       "      <th>epoch</th>\n",
       "      <th>counter</th>\n",
       "      <th>numerics</th>\n",
       "      <th>action</th>\n",
       "      <th>decorations_host_uuid</th>\n",
       "      <th>decorations_username</th>\n",
       "      <th>columns_cmdline</th>\n",
       "      <th>columns_name</th>\n",
       "      <th>columns_path</th>\n",
       "      <th>columns_pcmdline</th>\n",
       "      <th>columns_pid</th>\n",
       "      <th>columns_username</th>\n",
       "      <th>columns_local_port</th>\n",
       "      <th>columns_md5</th>\n",
       "      <th>columns_remote_address</th>\n",
       "      <th>columns_remote_port</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>90</th>\n",
       "      <td>pack_osquery-custom-pack2_outbound_connections</td>\n",
       "      <td>HOSTNAME</td>\n",
       "      <td>Fri Feb  3 07:00:47 2023 UTC</td>\n",
       "      <td>1675407647</td>\n",
       "      <td>0</td>\n",
       "      <td>59</td>\n",
       "      <td>False</td>\n",
       "      <td>removed</td>\n",
       "      <td>F7E6787D-B2D8-4830-854E-33AF0A1338B8</td>\n",
       "      <td></td>\n",
       "      <td>/usr/local/bin/prometheus --storage.tsdb.path=...</td>\n",
       "      <td>prometheus</td>\n",
       "      <td>/usr/local/bin/prometheus</td>\n",
       "      <td>/sbin/init</td>\n",
       "      <td>1510</td>\n",
       "      <td>prometheus</td>\n",
       "      <td>34404</td>\n",
       "      <td></td>\n",
       "      <td>10.8.0.77</td>\n",
       "      <td>9100</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                              name hostIdentifier  \\\n",
       "90  pack_osquery-custom-pack2_outbound_connections       HOSTNAME   \n",
       "\n",
       "                    calendarTime    unixTime  epoch  counter  numerics  \\\n",
       "90  Fri Feb  3 07:00:47 2023 UTC  1675407647      0       59     False   \n",
       "\n",
       "     action                 decorations_host_uuid decorations_username  \\\n",
       "90  removed  F7E6787D-B2D8-4830-854E-33AF0A1338B8                        \n",
       "\n",
       "                                      columns_cmdline columns_name  \\\n",
       "90  /usr/local/bin/prometheus --storage.tsdb.path=...   prometheus   \n",
       "\n",
       "                 columns_path columns_pcmdline columns_pid columns_username  \\\n",
       "90  /usr/local/bin/prometheus       /sbin/init        1510       prometheus   \n",
       "\n",
       "   columns_local_port columns_md5 columns_remote_address columns_remote_port  \n",
       "90              34404                          10.8.0.77                9100  "
      ]
     },
     "execution_count": 9,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "%%time\n",
    "df_outbound_conn = qry_prov.linux.outbound_connections()\n",
    "df_outbound_conn.head(1)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "3d0f7eeb-483b-474c-8ccf-98dc32e06a08",
   "metadata": {},
   "outputs": [],
   "source": []
  },
  {
   "cell_type": "markdown",
   "id": "060be256-6d33-46e9-a070-bd6f91fe77ce",
   "metadata": {},
   "source": [
    "## Analysis examples"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "id": "d92ce32b-84bf-49c4-b16c-f3f4b345604e",
   "metadata": {},
   "outputs": [],
   "source": [
    "# https://msticpy.readthedocs.io/en/latest/visualization/ProcessTree.html\n",
    "from msticpy.vis import process_tree\n",
    "from msticpy.transform.proc_tree_builder import OSQUERY_EVENT_SCH"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 28,
   "id": "3f78f427-906b-433f-b41f-bc5d27738462",
   "metadata": {},
   "outputs": [],
   "source": [
    "p_tree_lx = process_tree.build_process_tree(df_process, schema=OSQUERY_EVENT_SCH)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 29,
   "id": "62b17e27-1f87-4a47-800d-39f0e359fd3b",
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div class=\"bk-root\">\n",
       "        <a href=\"https://bokeh.org\" target=\"_blank\" class=\"bk-logo bk-logo-small bk-logo-notebook\"></a>\n",
       "        <span id=\"4115\">Loading BokehJS ...</span>\n",
       "    </div>\n"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "data": {
      "application/javascript": [
       "(function(root) {\n",
       "  function now() {\n",
       "    return new Date();\n",
       "  }\n",
       "\n",
       "  const force = true;\n",
       "\n",
       "  if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n",
       "    root._bokeh_onload_callbacks = [];\n",
       "    root._bokeh_is_loading = undefined;\n",
       "  }\n",
       "\n",
       "const JS_MIME_TYPE = 'application/javascript';\n",
       "  const HTML_MIME_TYPE = 'text/html';\n",
       "  const EXEC_MIME_TYPE = 'application/vnd.bokehjs_exec.v0+json';\n",
       "  const CLASS_NAME = 'output_bokeh rendered_html';\n",
       "\n",
       "  /**\n",
       "   * Render data to the DOM node\n",
       "   */\n",
       "  function render(props, node) {\n",
       "    const script = document.createElement(\"script\");\n",
       "    node.appendChild(script);\n",
       "  }\n",
       "\n",
       "  /**\n",
       "   * Handle when an output is cleared or removed\n",
       "   */\n",
       "  function handleClearOutput(event, handle) {\n",
       "    const cell = handle.cell;\n",
       "\n",
       "    const id = cell.output_area._bokeh_element_id;\n",
       "    const server_id = cell.output_area._bokeh_server_id;\n",
       "    // Clean up Bokeh references\n",
       "    if (id != null && id in Bokeh.index) {\n",
       "      Bokeh.index[id].model.document.clear();\n",
       "      delete Bokeh.index[id];\n",
       "    }\n",
       "\n",
       "    if (server_id !== undefined) {\n",
       "      // Clean up Bokeh references\n",
       "      const cmd_clean = \"from bokeh.io.state import curstate; print(curstate().uuid_to_server['\" + server_id + \"'].get_sessions()[0].document.roots[0]._id)\";\n",
       "      cell.notebook.kernel.execute(cmd_clean, {\n",
       "        iopub: {\n",
       "          output: function(msg) {\n",
       "            const id = msg.content.text.trim();\n",
       "            if (id in Bokeh.index) {\n",
       "              Bokeh.index[id].model.document.clear();\n",
       "              delete Bokeh.index[id];\n",
       "            }\n",
       "          }\n",
       "        }\n",
       "      });\n",
       "      // Destroy server and session\n",
       "      const cmd_destroy = \"import bokeh.io.notebook as ion; ion.destroy_server('\" + server_id + \"')\";\n",
       "      cell.notebook.kernel.execute(cmd_destroy);\n",
       "    }\n",
       "  }\n",
       "\n",
       "  /**\n",
       "   * Handle when a new output is added\n",
       "   */\n",
       "  function handleAddOutput(event, handle) {\n",
       "    const output_area = handle.output_area;\n",
       "    const output = handle.output;\n",
       "\n",
       "    // limit handleAddOutput to display_data with EXEC_MIME_TYPE content only\n",
       "    if ((output.output_type != \"display_data\") || (!Object.prototype.hasOwnProperty.call(output.data, EXEC_MIME_TYPE))) {\n",
       "      return\n",
       "    }\n",
       "\n",
       "    const toinsert = output_area.element.find(\".\" + CLASS_NAME.split(' ')[0]);\n",
       "\n",
       "    if (output.metadata[EXEC_MIME_TYPE][\"id\"] !== undefined) {\n",
       "      toinsert[toinsert.length - 1].firstChild.textContent = output.data[JS_MIME_TYPE];\n",
       "      // store reference to embed id on output_area\n",
       "      output_area._bokeh_element_id = output.metadata[EXEC_MIME_TYPE][\"id\"];\n",
       "    }\n",
       "    if (output.metadata[EXEC_MIME_TYPE][\"server_id\"] !== undefined) {\n",
       "      const bk_div = document.createElement(\"div\");\n",
       "      bk_div.innerHTML = output.data[HTML_MIME_TYPE];\n",
       "      const script_attrs = bk_div.children[0].attributes;\n",
       "      for (let i = 0; i < script_attrs.length; i++) {\n",
       "        toinsert[toinsert.length - 1].firstChild.setAttribute(script_attrs[i].name, script_attrs[i].value);\n",
       "        toinsert[toinsert.length - 1].firstChild.textContent = bk_div.children[0].textContent\n",
       "      }\n",
       "      // store reference to server id on output_area\n",
       "      output_area._bokeh_server_id = output.metadata[EXEC_MIME_TYPE][\"server_id\"];\n",
       "    }\n",
       "  }\n",
       "\n",
       "  function register_renderer(events, OutputArea) {\n",
       "\n",
       "    function append_mime(data, metadata, element) {\n",
       "      // create a DOM node to render to\n",
       "      const toinsert = this.create_output_subarea(\n",
       "        metadata,\n",
       "        CLASS_NAME,\n",
       "        EXEC_MIME_TYPE\n",
       "      );\n",
       "      this.keyboard_manager.register_events(toinsert);\n",
       "      // Render to node\n",
       "      const props = {data: data, metadata: metadata[EXEC_MIME_TYPE]};\n",
       "      render(props, toinsert[toinsert.length - 1]);\n",
       "      element.append(toinsert);\n",
       "      return toinsert\n",
       "    }\n",
       "\n",
       "    /* Handle when an output is cleared or removed */\n",
       "    events.on('clear_output.CodeCell', handleClearOutput);\n",
       "    events.on('delete.Cell', handleClearOutput);\n",
       "\n",
       "    /* Handle when a new output is added */\n",
       "    events.on('output_added.OutputArea', handleAddOutput);\n",
       "\n",
       "    /**\n",
       "     * Register the mime type and append_mime function with output_area\n",
       "     */\n",
       "    OutputArea.prototype.register_mime_type(EXEC_MIME_TYPE, append_mime, {\n",
       "      /* Is output safe? */\n",
       "      safe: true,\n",
       "      /* Index of renderer in `output_area.display_order` */\n",
       "      index: 0\n",
       "    });\n",
       "  }\n",
       "\n",
       "  // register the mime type if in Jupyter Notebook environment and previously unregistered\n",
       "  if (root.Jupyter !== undefined) {\n",
       "    const events = require('base/js/events');\n",
       "    const OutputArea = require('notebook/js/outputarea').OutputArea;\n",
       "\n",
       "    if (OutputArea.prototype.mime_types().indexOf(EXEC_MIME_TYPE) == -1) {\n",
       "      register_renderer(events, OutputArea);\n",
       "    }\n",
       "  }\n",
       "  if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n",
       "    root._bokeh_timeout = Date.now() + 5000;\n",
       "    root._bokeh_failed_load = false;\n",
       "  }\n",
       "\n",
       "  const NB_LOAD_WARNING = {'data': {'text/html':\n",
       "     \"<div style='background-color: #fdd'>\\n\"+\n",
       "     \"<p>\\n\"+\n",
       "     \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n",
       "     \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n",
       "     \"</p>\\n\"+\n",
       "     \"<ul>\\n\"+\n",
       "     \"<li>re-rerun `output_notebook()` to attempt to load from CDN again, or</li>\\n\"+\n",
       "     \"<li>use INLINE resources instead, as so:</li>\\n\"+\n",
       "     \"</ul>\\n\"+\n",
       "     \"<code>\\n\"+\n",
       "     \"from bokeh.resources import INLINE\\n\"+\n",
       "     \"output_notebook(resources=INLINE)\\n\"+\n",
       "     \"</code>\\n\"+\n",
       "     \"</div>\"}};\n",
       "\n",
       "  function display_loaded() {\n",
       "    const el = document.getElementById(\"4115\");\n",
       "    if (el != null) {\n",
       "      el.textContent = \"BokehJS is loading...\";\n",
       "    }\n",
       "    if (root.Bokeh !== undefined) {\n",
       "      if (el != null) {\n",
       "        el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n",
       "      }\n",
       "    } else if (Date.now() < root._bokeh_timeout) {\n",
       "      setTimeout(display_loaded, 100)\n",
       "    }\n",
       "  }\n",
       "\n",
       "  function run_callbacks() {\n",
       "    try {\n",
       "      root._bokeh_onload_callbacks.forEach(function(callback) {\n",
       "        if (callback != null)\n",
       "          callback();\n",
       "      });\n",
       "    } finally {\n",
       "      delete root._bokeh_onload_callbacks\n",
       "    }\n",
       "    console.debug(\"Bokeh: all callbacks have finished\");\n",
       "  }\n",
       "\n",
       "  function load_libs(css_urls, js_urls, callback) {\n",
       "    if (css_urls == null) css_urls = [];\n",
       "    if (js_urls == null) js_urls = [];\n",
       "\n",
       "    root._bokeh_onload_callbacks.push(callback);\n",
       "    if (root._bokeh_is_loading > 0) {\n",
       "      console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n",
       "      return null;\n",
       "    }\n",
       "    if (js_urls == null || js_urls.length === 0) {\n",
       "      run_callbacks();\n",
       "      return null;\n",
       "    }\n",
       "    console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n",
       "    root._bokeh_is_loading = css_urls.length + js_urls.length;\n",
       "\n",
       "    function on_load() {\n",
       "      root._bokeh_is_loading--;\n",
       "      if (root._bokeh_is_loading === 0) {\n",
       "        console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n",
       "        run_callbacks()\n",
       "      }\n",
       "    }\n",
       "\n",
       "    function on_error(url) {\n",
       "      console.error(\"failed to load \" + url);\n",
       "    }\n",
       "\n",
       "    for (let i = 0; i < css_urls.length; i++) {\n",
       "      const url = css_urls[i];\n",
       "      const element = document.createElement(\"link\");\n",
       "      element.onload = on_load;\n",
       "      element.onerror = on_error.bind(null, url);\n",
       "      element.rel = \"stylesheet\";\n",
       "      element.type = \"text/css\";\n",
       "      element.href = url;\n",
       "      console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n",
       "      document.body.appendChild(element);\n",
       "    }\n",
       "\n",
       "    for (let i = 0; i < js_urls.length; i++) {\n",
       "      const url = js_urls[i];\n",
       "      const element = document.createElement('script');\n",
       "      element.onload = on_load;\n",
       "      element.onerror = on_error.bind(null, url);\n",
       "      element.async = false;\n",
       "      element.src = url;\n",
       "      console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n",
       "      document.head.appendChild(element);\n",
       "    }\n",
       "  };\n",
       "\n",
       "  function inject_raw_css(css) {\n",
       "    const element = document.createElement(\"style\");\n",
       "    element.appendChild(document.createTextNode(css));\n",
       "    document.body.appendChild(element);\n",
       "  }\n",
       "\n",
       "  const js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-mathjax-2.4.3.min.js\"];\n",
       "  const css_urls = [];\n",
       "\n",
       "  const inline_js = [    function(Bokeh) {\n",
       "      Bokeh.set_log_level(\"info\");\n",
       "    },\n",
       "function(Bokeh) {\n",
       "    }\n",
       "  ];\n",
       "\n",
       "  function run_inline_js() {\n",
       "    if (root.Bokeh !== undefined || force === true) {\n",
       "          for (let i = 0; i < inline_js.length; i++) {\n",
       "      inline_js[i].call(root, root.Bokeh);\n",
       "    }\n",
       "if (force === true) {\n",
       "        display_loaded();\n",
       "      }} else if (Date.now() < root._bokeh_timeout) {\n",
       "      setTimeout(run_inline_js, 100);\n",
       "    } else if (!root._bokeh_failed_load) {\n",
       "      console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n",
       "      root._bokeh_failed_load = true;\n",
       "    } else if (force !== true) {\n",
       "      const cell = $(document.getElementById(\"4115\")).parents('.cell').data().cell;\n",
       "      cell.output_area.append_execute_result(NB_LOAD_WARNING)\n",
       "    }\n",
       "  }\n",
       "\n",
       "  if (root._bokeh_is_loading === 0) {\n",
       "    console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n",
       "    run_inline_js();\n",
       "  } else {\n",
       "    load_libs(css_urls, js_urls, function() {\n",
       "      console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n",
       "      run_inline_js();\n",
       "    });\n",
       "  }\n",
       "}(window));"
      ],
      "application/vnd.bokehjs_load.v0+json": "(function(root) {\n  function now() {\n    return new Date();\n  }\n\n  const force = true;\n\n  if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n    root._bokeh_onload_callbacks = [];\n    root._bokeh_is_loading = undefined;\n  }\n\n\n  if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n    root._bokeh_timeout = Date.now() + 5000;\n    root._bokeh_failed_load = false;\n  }\n\n  const NB_LOAD_WARNING = {'data': {'text/html':\n     \"<div style='background-color: #fdd'>\\n\"+\n     \"<p>\\n\"+\n     \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n     \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n     \"</p>\\n\"+\n     \"<ul>\\n\"+\n     \"<li>re-rerun `output_notebook()` to attempt to load from CDN again, or</li>\\n\"+\n     \"<li>use INLINE resources instead, as so:</li>\\n\"+\n     \"</ul>\\n\"+\n     \"<code>\\n\"+\n     \"from bokeh.resources import INLINE\\n\"+\n     \"output_notebook(resources=INLINE)\\n\"+\n     \"</code>\\n\"+\n     \"</div>\"}};\n\n  function display_loaded() {\n    const el = document.getElementById(\"4115\");\n    if (el != null) {\n      el.textContent = \"BokehJS is loading...\";\n    }\n    if (root.Bokeh !== undefined) {\n      if (el != null) {\n        el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n      }\n    } else if (Date.now() < root._bokeh_timeout) {\n      setTimeout(display_loaded, 100)\n    }\n  }\n\n  function run_callbacks() {\n    try {\n      root._bokeh_onload_callbacks.forEach(function(callback) {\n        if (callback != null)\n          callback();\n      });\n    } finally {\n      delete root._bokeh_onload_callbacks\n    }\n    console.debug(\"Bokeh: all callbacks have finished\");\n  }\n\n  function load_libs(css_urls, js_urls, callback) {\n    if (css_urls == null) css_urls = [];\n    if (js_urls == null) js_urls = [];\n\n    root._bokeh_onload_callbacks.push(callback);\n    if (root._bokeh_is_loading > 0) {\n      console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n      return null;\n    }\n    if (js_urls == null || js_urls.length === 0) {\n      run_callbacks();\n      return null;\n    }\n    console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n    root._bokeh_is_loading = css_urls.length + js_urls.length;\n\n    function on_load() {\n      root._bokeh_is_loading--;\n      if (root._bokeh_is_loading === 0) {\n        console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n        run_callbacks()\n      }\n    }\n\n    function on_error(url) {\n      console.error(\"failed to load \" + url);\n    }\n\n    for (let i = 0; i < css_urls.length; i++) {\n      const url = css_urls[i];\n      const element = document.createElement(\"link\");\n      element.onload = on_load;\n      element.onerror = on_error.bind(null, url);\n      element.rel = \"stylesheet\";\n      element.type = \"text/css\";\n      element.href = url;\n      console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n      document.body.appendChild(element);\n    }\n\n    for (let i = 0; i < js_urls.length; i++) {\n      const url = js_urls[i];\n      const element = document.createElement('script');\n      element.onload = on_load;\n      element.onerror = on_error.bind(null, url);\n      element.async = false;\n      element.src = url;\n      console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n      document.head.appendChild(element);\n    }\n  };\n\n  function inject_raw_css(css) {\n    const element = document.createElement(\"style\");\n    element.appendChild(document.createTextNode(css));\n    document.body.appendChild(element);\n  }\n\n  const js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.3.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-mathjax-2.4.3.min.js\"];\n  const css_urls = [];\n\n  const inline_js = [    function(Bokeh) {\n      Bokeh.set_log_level(\"info\");\n    },\nfunction(Bokeh) {\n    }\n  ];\n\n  function run_inline_js() {\n    if (root.Bokeh !== undefined || force === true) {\n          for (let i = 0; i < inline_js.length; i++) {\n      inline_js[i].call(root, root.Bokeh);\n    }\nif (force === true) {\n        display_loaded();\n      }} else if (Date.now() < root._bokeh_timeout) {\n      setTimeout(run_inline_js, 100);\n    } else if (!root._bokeh_failed_load) {\n      console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n      root._bokeh_failed_load = true;\n    } else if (force !== true) {\n      const cell = $(document.getElementById(\"4115\")).parents('.cell').data().cell;\n      cell.output_area.append_execute_result(NB_LOAD_WARNING)\n    }\n  }\n\n  if (root._bokeh_is_loading === 0) {\n    console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n    run_inline_js();\n  } else {\n    load_libs(css_urls, js_urls, function() {\n      console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n      run_inline_js();\n    });\n  }\n}(window));"
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "data": {
      "text/html": [
       "\n",
       "  <div class=\"bk-root\" id=\"716e8d74-a202-4002-89bb-314276d6b8b8\" data-root-id=\"4237\"></div>\n"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "data": {
      "application/javascript": [
       "(function(root) {\n",
       "  function embed_document(root) {\n",
       "  const docs_json = {\"c12660ba-b162-49f5-856d-b9a411459056\":{\"defs\":[],\"roots\":{\"references\":[{\"attributes\":{\"children\":[{\"id\":\"4118\"},{\"id\":\"4194\"}]},\"id\":\"4237\",\"type\":\"Row\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4177\",\"type\":\"Text\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":0.1},\"id\":\"4174\",\"type\":\"Dodge\"},{\"attributes\":{},\"id\":\"4199\",\"type\":\"LinearScale\"},{\"attributes\":{},\"id\":\"4204\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4177\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4179\"},\"nonselection_glyph\":{\"id\":\"4178\"},\"view\":{\"id\":\"4181\"}},\"id\":\"4180\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4158\",\"type\":\"AllLabels\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4185\",\"type\":\"Text\"},{\"attributes\":{\"axis\":{\"id\":\"4207\"},\"coordinates\":null,\"dimension\":1,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"4210\",\"type\":\"Grid\"},{\"attributes\":{\"axis_line_color\":null,\"coordinates\":null,\"formatter\":{\"id\":\"4157\"},\"group\":null,\"major_label_policy\":{\"id\":\"4158\"},\"major_label_standoff\":0,\"major_tick_line_color\":\"navy\",\"ticker\":{\"id\":\"4134\"},\"visible\":false},\"id\":\"4133\",\"type\":\"LinearAxis\"},{\"attributes\":{},\"id\":\"4208\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4169\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4171\"},\"nonselection_glyph\":{\"id\":\"4170\"},\"view\":{\"id\":\"4173\"}},\"id\":\"4172\",\"type\":\"GlyphRenderer\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4173\",\"type\":\"CDSView\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4181\",\"type\":\"CDSView\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4186\",\"type\":\"Text\"},{\"attributes\":{\"axis_line_color\":null,\"coordinates\":null,\"formatter\":{\"id\":\"4160\"},\"group\":null,\"major_label_policy\":{\"id\":\"4161\"},\"major_label_standoff\":0,\"major_tick_line_color\":\"navy\",\"ticker\":{\"id\":\"4190\"},\"visible\":false},\"id\":\"4129\",\"type\":\"LinearAxis\"},{\"attributes\":{},\"id\":\"4125\",\"type\":\"LinearScale\"},{\"attributes\":{\"ticks\":[1,2]},\"id\":\"4192\",\"type\":\"FixedTicker\"},{\"attributes\":{},\"id\":\"4250\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"below\":[{\"id\":\"4129\"}],\"center\":[{\"id\":\"4132\"},{\"id\":\"4136\"},{\"id\":\"4164\"}],\"height\":700,\"left\":[{\"id\":\"4133\"}],\"outline_line_color\":null,\"renderers\":[{\"id\":\"4153\"},{\"id\":\"4172\"},{\"id\":\"4180\"},{\"id\":\"4188\"}],\"title\":{\"id\":\"4119\"},\"toolbar\":{\"id\":\"4141\"},\"toolbar_location\":\"above\",\"width\":900,\"x_range\":{\"id\":\"4121\"},\"x_scale\":{\"id\":\"4125\"},\"y_range\":{\"id\":\"4123\"},\"y_scale\":{\"id\":\"4127\"}},\"id\":\"4118\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{},\"id\":\"4212\",\"type\":\"WheelZoomTool\"},{\"attributes\":{\"text\":{\"field\":\"__proc_id$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4182\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4183\"}}},\"id\":\"4187\",\"type\":\"Text\"},{\"attributes\":{\"active_multi\":{\"id\":\"4232\"},\"tools\":[{\"id\":\"4211\"},{\"id\":\"4212\"},{\"id\":\"4213\"},{\"id\":\"4214\"},{\"id\":\"4215\"},{\"id\":\"4216\"},{\"id\":\"4232\"}]},\"id\":\"4218\",\"type\":\"Toolbar\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.2},\"height\":{\"value\":0.8},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4229\",\"type\":\"Rect\"},{\"attributes\":{\"overlay\":{\"id\":\"4217\"}},\"id\":\"4213\",\"type\":\"BoxZoomTool\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4227\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4229\"},\"nonselection_glyph\":{\"id\":\"4228\"},\"view\":{\"id\":\"4231\"}},\"id\":\"4230\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4211\",\"type\":\"PanTool\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":0.25},\"id\":\"4175\",\"type\":\"Dodge\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4231\",\"type\":\"CDSView\"},{\"attributes\":{},\"id\":\"4215\",\"type\":\"ResetTool\"},{\"attributes\":{\"overlay\":{\"id\":\"4233\"},\"x_range\":null,\"y_range\":{\"id\":\"4123\"}},\"id\":\"4232\",\"type\":\"RangeTool\"},{\"attributes\":{},\"id\":\"4251\",\"type\":\"AllLabels\"},{\"attributes\":{},\"id\":\"4127\",\"type\":\"LinearScale\"},{\"attributes\":{},\"id\":\"4214\",\"type\":\"SaveTool\"},{\"attributes\":{\"coordinates\":null,\"fill_alpha\":0.2,\"fill_color\":\"navy\",\"group\":null,\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[2,2],\"line_width\":0.5,\"syncable\":false},\"id\":\"4233\",\"type\":\"BoxAnnotation\"},{\"attributes\":{\"bottom_units\":\"screen\",\"coordinates\":null,\"fill_alpha\":0.5,\"fill_color\":\"lightgrey\",\"group\":null,\"left_units\":\"screen\",\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[4,4],\"line_width\":2,\"right_units\":\"screen\",\"syncable\":false,\"top_units\":\"screen\"},\"id\":\"4217\",\"type\":\"BoxAnnotation\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.1},\"height\":{\"value\":0.8},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4228\",\"type\":\"Rect\"},{\"attributes\":{\"range\":null,\"value\":-0.5},\"id\":\"4225\",\"type\":\"Dodge\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"text\":\"ProcessTree\"},\"id\":\"4119\",\"type\":\"Title\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4154\",\"type\":\"CDSView\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":1.75},\"id\":\"4148\",\"type\":\"Dodge\"},{\"attributes\":{\"source\":{\"id\":\"4116\"}},\"id\":\"4189\",\"type\":\"CDSView\"},{\"attributes\":{},\"id\":\"4137\",\"type\":\"ResetTool\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.2},\"height\":{\"value\":0.95},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4152\",\"type\":\"Rect\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":0.25},\"id\":\"4183\",\"type\":\"Dodge\"},{\"attributes\":{\"dimension\":\"height\"},\"id\":\"4140\",\"type\":\"WheelPanTool\"},{\"attributes\":{\"active_scroll\":{\"id\":\"4140\"},\"tools\":[{\"id\":\"4137\"},{\"id\":\"4138\"},{\"id\":\"4139\"},{\"id\":\"4140\"},{\"id\":\"4146\"}]},\"id\":\"4141\",\"type\":\"Toolbar\"},{\"attributes\":{\"coordinates\":null,\"group\":null},\"id\":\"4239\",\"type\":\"Title\"},{\"attributes\":{\"range\":{\"id\":\"4123\"},\"value\":-0.2},\"id\":\"4167\",\"type\":\"Dodge\"},{\"attributes\":{},\"id\":\"4195\",\"type\":\"DataRange1d\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":0.1},\"id\":\"4166\",\"type\":\"Dodge\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4170\",\"type\":\"Text\"},{\"attributes\":{\"coordinates\":null,\"formatter\":{\"id\":\"4247\"},\"group\":null,\"major_label_policy\":{\"id\":\"4248\"},\"ticker\":{\"id\":\"4208\"},\"visible\":false},\"id\":\"4207\",\"type\":\"LinearAxis\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.6},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"height\":{\"value\":0.8},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":1.2},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4225\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4227\",\"type\":\"Rect\"},{\"attributes\":{},\"id\":\"4248\",\"type\":\"AllLabels\"},{\"attributes\":{\"below\":[{\"id\":\"4203\"}],\"center\":[{\"id\":\"4206\"},{\"id\":\"4210\"}],\"height\":700,\"left\":[{\"id\":\"4207\"}],\"renderers\":[{\"id\":\"4230\"}],\"title\":{\"id\":\"4239\"},\"toolbar\":{\"id\":\"4218\"},\"toolbar_location\":null,\"width\":90,\"x_range\":{\"id\":\"4195\"},\"x_scale\":{\"id\":\"4199\"},\"y_range\":{\"id\":\"4197\"},\"y_scale\":{\"id\":\"4201\"}},\"id\":\"4194\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{},\"id\":\"4247\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"factors\":[\"unknown\",\"nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"apt.systemd.dai\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"/sbin/init\",\"kthreadd\"],\"palette\":[\"#440154\",\"#46317E\",\"#365A8C\",\"#277E8E\",\"#1EA087\",\"#49C16D\",\"#9DD93A\",\"#FDE724\"]},\"id\":\"4117\",\"type\":\"CategoricalColorMapper\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"hatch_alpha\":{\"value\":0.1},\"height\":{\"value\":0.95},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4151\",\"type\":\"Rect\"},{\"attributes\":{\"data\":{\"EffectiveLogonId\":[0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"EffectiveLogonId_par\":{\"__ndarray__\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"IsBranch\":[false,false,false,false,false,false,false,false,false,false,false,false,false,false],\"IsLeaf\":[false,true,true,true,true,true,false,true,true,true,false,true,false,true],\"IsRoot\":[true,false,false,false,false,false,true,false,false,false,true,false,true,false],\"Level\":[1,2,2,2,2,2,1,2,2,2,1,2,1,2],\"NewProcessId_par\":[\"NaN\",\"2\",\"2\",\"2\",\"2\",\"2\",\"NaN\",\"54660\",\"54660\",\"54660\",\"NaN\",\"1\",\"NaN\",\"58994\"],\"Row\":[14,13,12,11,10,9,8,7,6,5,4,3,2,1],\"__cmd_line$$\":[\"nan\",\"\",\"\",\"\",\"\",\"\",\"nan\",\"sleep 5m\",\"sleep 5m\",\"sleep 5m\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held install\"],\"__proc_id$$\":[\"PID: 0x2\",\"PID: 0xe247\",\"PID: 0x96bb\",\"PID: 0xd371\",\"PID: 0xe3b0\",\"PID: 0xe3b3\",\"PID: 0xd584\",\"PID: 0xe317\",\"PID: 0xe317\",\"PID: 0xe645\",\"PID: 0x1\",\"PID: 0xe672\",\"PID: 0xe672\",\"PID: 0xe67f\"],\"__proc_name$$\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"init\",\"systemd\",\"apt.systemd.daily install\",\"apt.systemd.dai\"],\"action\":[\"NaN\",\"added\",\"removed\",\"removed\",\"added\",\"added\",\"NaN\",\"added\",\"removed\",\"added\",\"NaN\",\"added\",\"NaN\",\"added\"],\"calendarTime\":{\"__ndarray__\":\"AAAAAAAAAAAAgGj3X2F4QgCAI0FgYXhCAIAjQWBheEIAgCNBYGF4QgCAI0FgYXhCAAAAAAAAAAAAgGj3X2F4QgCAI0FgYXhCAIAjQWBheEIAAAAAAAAAAACAI0FgYXhCAAAAAAAAAAAAgCNBYGF4Qg==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"columns_cmdline\":[\"nan\",\"\",\"\",\"\",\"\",\"\",\"nan\",\"sleep 5m\",\"sleep 5m\",\"sleep 5m\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"nan\",\"/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held install\"],\"columns_euid\":[\"NaN\",\"0\",\"0\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"NaN\",\"0\"],\"columns_name\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"/sbin/init\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"apt.systemd.dai\"],\"columns_name_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_parent\":[\"NaN\",\"2\",\"2\",\"2\",\"2\",\"2\",\"NaN\",\"54660\",\"54660\",\"54660\",\"NaN\",\"1\",\"NaN\",\"58994\"],\"columns_parent_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_path\":[\"NaN\",\"\",\"\",\"\",\"\",\"\",\"NaN\",\"\",\"\",\"\",\"NaN\",\"\",\"NaN\",\"\"],\"columns_pcmdline\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"columns_pid\":[\"2\",\"57927\",\"38587\",\"54129\",\"58288\",\"58291\",\"54660\",\"58135\",\"58135\",\"58949\",\"1\",\"58994\",\"58994\",\"59007\"],\"columns_pid_par\":[\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\",\"NaN\"],\"columns_uid\":[\"NaN\",\"0\",\"0\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"0\",\"0\",\"NaN\",\"0\",\"NaN\",\"0\"],\"columns_username\":[\"NaN\",\"root\",\"root\",\"root\",\"root\",\"root\",\"NaN\",\"root\",\"root\",\"root\",\"NaN\",\"root\",\"NaN\",\"root\"],\"counter\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAHCLQAAAAAAAeItAAAAAAAB4i0AAAAAAAHiLQAAAAAAAeItAAAAAAAAA+H8AAAAAAHCLQAAAAAAAeItAAAAAAAB4i0AAAAAAAAD4fwAAAAAAeItAAAAAAAAA+H8AAAAAAHiLQA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"decorations_host_uuid\":[\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\",\"NaN\",\"F7E6787D-B2D8-4830-854E-33AF0A1338B8\"],\"decorations_username\":[\"NaN\",\"\",\"\",\"\",\"\",\"\",\"NaN\",\"\",\"\",\"\",\"NaN\",\"\",\"NaN\",\"\"],\"epoch\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+H8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4fwAAAAAAAAAAAAAAAAAA+H8AAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"hostIdentifier\":[\"NaN\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\",\"HOSTNAME\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\",\"NaN\",\"HOSTNAME\"],\"index\":[0,1,2,3,4,5,6,7,8,9,10,11,12,13],\"name\":[\"NaN\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\",\"NaN\",\"pack_osquery-custom-pack2_processes\"],\"new_process_lc\":[\"unknown\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"kthreadd\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"nextcloud-cron\",\"/sbin/init\",\"systemd\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"apt.systemd.dai\"],\"new_process_lc_par\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"numerics\":[\"NaN\",false,false,false,false,false,\"NaN\",false,false,false,\"NaN\",false,\"NaN\",false],\"parent_index\":[\"NaN\",\"10\",\"10\",\"10\",\"10\",\"10\",\"NaN\",\"11\",\"11\",\"11\",\"NaN\",\"12\",\"NaN\",\"13\"],\"parent_key\":[\"NaN\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"unknown|2|1970-01-01 00:00:00.000000\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"NaN\",\"/sbin/init|1|1970-01-01 00:00:00.000000\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install|58994|1970-01-01 00:00:00.000000\"],\"parent_proc_lc\":[\"NaN\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"unknown\",\"NaN\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron\",\"NaN\",\"/sbin/init\",\"NaN\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install\"],\"path\":[\"10\",\"10/0\",\"10/2\",\"10/3\",\"10/5\",\"10/6\",\"11\",\"11/1\",\"11/4\",\"11/7\",\"12\",\"12/8\",\"13\",\"13/9\"],\"proc_key\":[\"unknown|2|1970-01-01 00:00:00.000000\",\"kthreadd|57927|2023-02-03 06:38:29.000000\",\"kthreadd|38587|2023-02-03 06:43:31.000000\",\"kthreadd|54129|2023-02-03 06:43:31.000000\",\"kthreadd|58288|2023-02-03 06:43:31.000000\",\"kthreadd|58291|2023-02-03 06:43:31.000000\",\"/bin/sh /snap/nextcloud/33054/bin/nextcloud-cron|54660|1970-01-01 00:00:00.000000\",\"nextcloud-cron|58135|2023-02-03 06:38:29.000000\",\"nextcloud-cron|58135|2023-02-03 06:43:31.000000\",\"nextcloud-cron|58949|2023-02-03 06:43:31.000000\",\"/sbin/init|1|1970-01-01 00:00:00.000000\",\"systemd|58994|2023-02-03 06:43:31.000000\",\"/bin/sh /usr/lib/apt/apt.systemd.daily install|58994|1970-01-01 00:00:00.000000\",\"apt.systemd.dai|59007|2023-02-03 06:43:31.000000\"],\"source_index\":[\"10\",\"0\",\"2\",\"3\",\"5\",\"6\",\"11\",\"1\",\"4\",\"7\",\"12\",\"8\",\"13\",\"9\"],\"source_index_par\":{\"__ndarray__\":\"AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fwAAAAAAAPh/AAAAAAAA+H8AAAAAAAD4fw==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"timestamp_orig_par\":{\"__ndarray__\":\"/Knx0k1iQMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/Knx0k1iQMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8qfHSTWJAwwAAAAAAAAAA/Knx0k1iQMMAAAAAAAAAAA==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]},\"unixTime\":{\"__ndarray__\":\"AAAAAAAA+H8AAED5KvfYQQAAwEQr99hBAADARCv32EEAAMBEK/fYQQAAwEQr99hBAAAAAAAA+H8AAED5KvfYQQAAwEQr99hBAADARCv32EEAAAAAAAD4fwAAwEQr99hBAAAAAAAA+H8AAMBEK/fYQQ==\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[14]}},\"selected\":{\"id\":\"4163\"},\"selection_policy\":{\"id\":\"4162\"}},\"id\":\"4116\",\"type\":\"ColumnDataSource\"},{\"attributes\":{\"axis\":{\"id\":\"4133\"},\"coordinates\":null,\"dimension\":1,\"grid_line_color\":\"navy\",\"group\":null,\"ticker\":null,\"visible\":false},\"id\":\"4136\",\"type\":\"Grid\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4169\",\"type\":\"Text\"},{\"attributes\":{\"end\":15,\"start\":-1},\"id\":\"4197\",\"type\":\"Range1d\"},{\"attributes\":{\"callback\":null,\"formatters\":{\"@calendarTime\":\"datetime\"},\"renderers\":[{\"id\":\"4153\"}],\"tooltips\":[[\"Process\",\"@columns_name\"],[\"PID\",\"@columns_pid\"],[\"CmdLine\",\"@columns_cmdline\"],[\"SubjUser\",\"@columns_username\"],[\"SubjLgnId\",\"@None\"],[\"TgtLgnId\",\"@None\"],[\"Time\",\"@calendarTime{%F %T.%3N}\"]]},\"id\":\"4146\",\"type\":\"HoverTool\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"items\":[{\"id\":\"4165\"}],\"label_text_font_size\":\"7pt\",\"title\":\"columns_name\"},\"id\":\"4164\",\"type\":\"Legend\"},{\"attributes\":{\"end\":5,\"start\":1},\"id\":\"4121\",\"type\":\"Range1d\"},{\"attributes\":{},\"id\":\"4161\",\"type\":\"AllLabels\"},{\"attributes\":{\"range\":{\"id\":\"4121\"},\"value\":2.2},\"id\":\"4182\",\"type\":\"Dodge\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_alpha\":{\"value\":0.1},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4178\",\"type\":\"Text\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4185\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4187\"},\"nonselection_glyph\":{\"id\":\"4186\"},\"view\":{\"id\":\"4189\"}},\"id\":\"4188\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4163\",\"type\":\"Selection\"},{\"attributes\":{\"ticks\":[1,2]},\"id\":\"4190\",\"type\":\"FixedTicker\"},{\"attributes\":{},\"id\":\"4138\",\"type\":\"SaveTool\"},{\"attributes\":{},\"id\":\"4162\",\"type\":\"UnionRenderers\"},{\"attributes\":{},\"id\":\"4134\",\"type\":\"BasicTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"4116\"},\"glyph\":{\"id\":\"4150\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"4152\"},\"nonselection_glyph\":{\"id\":\"4151\"},\"view\":{\"id\":\"4154\"}},\"id\":\"4153\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"4201\",\"type\":\"LinearScale\"},{\"attributes\":{\"axis\":{\"id\":\"4129\"},\"coordinates\":null,\"grid_line_alpha\":0.1,\"grid_line_color\":\"navy\",\"group\":null,\"minor_grid_line_alpha\":0.1,\"minor_grid_line_color\":\"navy\",\"ticker\":{\"id\":\"4192\"}},\"id\":\"4132\",\"type\":\"Grid\"},{\"attributes\":{},\"id\":\"4157\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"coordinates\":null,\"formatter\":{\"id\":\"4250\"},\"group\":null,\"major_label_policy\":{\"id\":\"4251\"},\"ticker\":{\"id\":\"4204\"},\"visible\":false},\"id\":\"4203\",\"type\":\"LinearAxis\"},{\"attributes\":{\"end\":15,\"start\":-6},\"id\":\"4123\",\"type\":\"Range1d\"},{\"attributes\":{\"callback\":null},\"id\":\"4139\",\"type\":\"TapTool\"},{\"attributes\":{},\"id\":\"4216\",\"type\":\"HelpTool\"},{\"attributes\":{},\"id\":\"4160\",\"type\":\"BasicTickFormatter\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.4},\"fill_color\":{\"field\":\"columns_name\",\"transform\":{\"id\":\"4117\"}},\"height\":{\"value\":0.95},\"line_color\":{\"value\":\"#1f77b4\"},\"width\":{\"value\":3.5},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4148\"}},\"y\":{\"field\":\"Row\"}},\"id\":\"4150\",\"type\":\"Rect\"},{\"attributes\":{\"label\":{\"field\":\"columns_name\"},\"renderers\":[{\"id\":\"4153\"}]},\"id\":\"4165\",\"type\":\"LegendItem\"},{\"attributes\":{\"axis\":{\"id\":\"4203\"},\"coordinates\":null,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"4206\",\"type\":\"Grid\"},{\"attributes\":{\"text\":{\"field\":\"__proc_name$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"8pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4174\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4175\"}}},\"id\":\"4179\",\"type\":\"Text\"},{\"attributes\":{\"text\":{\"field\":\"__cmd_line$$\"},\"text_alpha\":{\"value\":0.2},\"text_baseline\":{\"value\":\"middle\"},\"text_color\":{\"value\":\"black\"},\"text_font_size\":{\"value\":\"7pt\"},\"x\":{\"field\":\"Level\",\"transform\":{\"id\":\"4166\"}},\"y\":{\"field\":\"Row\",\"transform\":{\"id\":\"4167\"}}},\"id\":\"4171\",\"type\":\"Text\"}],\"root_ids\":[\"4237\"]},\"title\":\"Bokeh Application\",\"version\":\"2.4.3\"}};\n",
       "  const render_items = [{\"docid\":\"c12660ba-b162-49f5-856d-b9a411459056\",\"root_ids\":[\"4237\"],\"roots\":{\"4237\":\"716e8d74-a202-4002-89bb-314276d6b8b8\"}}];\n",
       "  root.Bokeh.embed.embed_items_notebook(docs_json, render_items);\n",
       "  }\n",
       "  if (root.Bokeh !== undefined) {\n",
       "    embed_document(root);\n",
       "  } else {\n",
       "    let attempts = 0;\n",
       "    const timer = setInterval(function(root) {\n",
       "      if (root.Bokeh !== undefined) {\n",
       "        clearInterval(timer);\n",
       "        embed_document(root);\n",
       "      } else {\n",
       "        attempts++;\n",
       "        if (attempts > 100) {\n",
       "          clearInterval(timer);\n",
       "          console.log(\"Bokeh: ERROR: Unable to run BokehJS code because BokehJS library is missing\");\n",
       "        }\n",
       "      }\n",
       "    }, 10, root)\n",
       "  }\n",
       "})(window);"
      ],
      "application/vnd.bokehjs_exec.v0+json": ""
     },
     "metadata": {
      "application/vnd.bokehjs_exec.v0+json": {
       "id": "4237"
      }
     },
     "output_type": "display_data"
    },
    {
     "data": {
      "text/plain": [
       "(Figure(id='4118', ...), Row(id='4237', ...))"
      ]
     },
     "execution_count": 29,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "# partial tree - 10 processes only\n",
    "process_tree.plot_process_tree(data=df_process[50:60], legend_col=\"columns_name\")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "5a932ecb-34c6-4bce-ab77-a59f00da0c1a",
   "metadata": {},
   "outputs": [],
   "source": []
  },
  {
   "cell_type": "code",
   "execution_count": 12,
   "id": "af58a92f-f3a3-4fac-bd36-76656892bf0d",
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "name                     object\n",
       "hostIdentifier           object\n",
       "calendarTime             object\n",
       "unixTime                  int64\n",
       "epoch                     int64\n",
       "counter                   int64\n",
       "numerics                   bool\n",
       "action                   object\n",
       "decorations_host_uuid    object\n",
       "decorations_username     object\n",
       "columns_uid              object\n",
       "columns_username         object\n",
       "columns_md5              object\n",
       "columns_action           object\n",
       "columns_atime            object\n",
       "columns_category         object\n",
       "columns_ctime            object\n",
       "columns_mode             object\n",
       "columns_mtime            object\n",
       "columns_sha256           object\n",
       "columns_size             object\n",
       "columns_target_path      object\n",
       "columns_time             object\n",
       "dtype: object"
      ]
     },
     "execution_count": 12,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "# FIXME! schema correct above but not here. time columns not datetime64\n",
    "df_fim.dtypes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "372595f5-49a2-4dc4-9024-7fa7a69f3244",
   "metadata": {},
   "outputs": [],
   "source": [
    "df_fim.mp_plot.timeline(\n",
    "   title=\"FIM by action\",\n",
    "   # group_by=\"columns.action\",\n",
    "   # group_by=\"columns.username\",\n",
    "   group_by=\"columns_target_path\", \n",
    "   source_columns=[\"columns_username\", \"columns_action\", \"columns_category\", \"columns_target_path\"],\n",
    "   time_column=\"columns_time\",\n",
    "   legend=\"left\",\n",
    "   height=200,\n",
    ")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "86e105f2-bebb-46fd-a9c0-7fbfa3458400",
   "metadata": {},
   "outputs": [],
   "source": []
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "b2d9ff6e-7569-471d-9d76-9c2f9b0decd9",
   "metadata": {},
   "outputs": [],
   "source": [
    "df_outbound_conn.mp_plot.matrix(x=\"columns_name\", y=\"columns_remote_address\", title=\"Process name vs remote address Interaction\")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "03a5e9db-e3fe-4db2-ad92-65b82141c1a8",
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.10.9"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}
